A Two year old PHP CGI remote code execution vulnerability(CVE-2012-1823) is being exploited to install a Bitcoin malware in the web server, reports Symantec.

Symantec says they have noticed a substantial increase in the quantity of php code inclusion attacks against its Managed Security Services(MSS) customers.

Only Linux web servers running the outdated PHP version are said to be vulnerable to this exploit. As of Jan. 7, more than its Security Operations Center(SOC) customers have been affected by these exploit attempts.

PHP CGI Remote code execution exploit

Vulnerable servers are targeted with an exploit code which disables the security_mode and enable other options needed for the exploit. If they server is vulnerable, then the exploit downloads 'a' script that will install Bitcoin Miner.

"The role of Bitcoin mining in this scenario is to harness the victim’s computational resources to financially benefit the perpetrators." say researchers at Symantec. "The victim systems in this situation have been wrongfully hijacked and pressed into service, which may cause slowdowns for legitimate users and resource issues for server owners. "